Your message dated Sat, 16 May 2009 09:32:23 +0000 with message-id <e1m5gfj-0005bg...@ries.debian.org> and subject line Bug#527597: fixed in atmailopen 1.03+dfsg+svn93-5 has caused the Debian Bug report #527597, regarding Atmail doesn't flush some user session from the database to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 527597: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=527597 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: atmailopen Version: 1.03+dfsg+svn93-4 Severity: grave I'm getting trouble with atmailopen because at the first time the use log in the system, his session is created and stored in the "UserSession" table of the database. Once the user session is stored in the database, it's *not* updated anymore and this behaviour causes serious disadvantages (and some of them IMHO are bugs) like the following: * Keep the cleartext password stored in the database forever. It's a critical security issue. [1] * Causes a bug of users that cannot log in anymore because their passwords were changed in the server and differ from the passwords that are currently stored in their old user sessions on the "UserSession" table of local database. [2] I fixed these issues adding a new method in the Auth class (see Auth.php.patch) that destroys the any session for an user, both in php *and* database. To fix the issue [1] I added a call of this new method at the logout process on the file index.php (see index.php.patch). To fix the issue [2] I added a call of this new method at the parse.php (see parse.php.patch) to cleanup old sessions of user everrytime he accesses to log in page. I'm running Debian GNU/Linux 5.0 (Lenny) and Kernel 2.6.26-2-686. -- Regards, Arthur Furlan arthur.fur...@gmail.com--- Auth.php 2009-05-07 15:36:19.000000000 -0300 +++ Auth-patched.php 2009-05-07 15:36:03.000000000 -0300 @@ -1,5 +1,4 @@ <?php - require_once('header.php'); require_once('SQL.php'); @@ -658,6 +657,41 @@ return false; } + /** + * Changed by Arthur Furlan <arthur.fur...@gmail.com> on 2009-05-07 + * + * + * Completely destroys the user session by removing the record in the + * "UserSession" table of the database and destroying the php session. + * + * At the first time an user log in the system, his session is created + * and stored in the "UserSession" table of the database. Once the user + * session is stored in the database, it's not updated anymore and this + * behaviour has some serious disadvantages like following: + * + * 1. Keep the cleartext password stored in the database forever, + * + * 2. Causes a bug of users that cannot log in anymore because + * their passwords were changed in the server and differ from the + * passwords that are currently stored in old user sessions on the + * "UserSession" table of local database. + * + * This method should be called in the specific parts of the system to + * fix the behaviours listed above. + */ + function destroy_session() { + global $atmail; + + // destroys the user session in the database + $query = 'DELETE FROM UserSession WHERE Account = ?'; + $data = array("{$this->userna...@{$this->pop3host}"); + $atmail->db->sqldo($query, $data); + + // destroys the user session in the php + session_regenerate_id(true); + session_unset(); + session_destroy(); + } function get_username() {--- index.php 2009-05-07 15:38:25.000000000 -0300 +++ index-pachted.php 2009-05-07 15:42:12.000000000 -0300 @@ -120,7 +120,16 @@ } - session_destroy(); + /** + * Changed by Arthur Furlan <arthur.fur...@gmail.com> on 2009-05-07 + * + * + * Completely destroys the user session (in both php and database). + * + * It prevents of keeping the cleartext password stored in the database + * forever (IMO i'ts a serious security issue). + */ + $auth->destroy_session(); } $var['Ajax'] = '1';--- parse.php 2009-05-07 15:44:16.000000000 -0300 +++ parse-patched.php 2009-05-07 15:44:06.000000000 -0300 @@ -28,6 +28,19 @@ // No auth necessary to display login page if ($filename == 'html/login-light.html') { echo $atmail->parse('html/login-light.html'); + + /** + * Changed by Arthur Furlan on 2009-05-07 + * + * + * If there is an old user session on the database, destroy it completely. + * + * The line below fixes the bug of users that cannot log in anymore because + * their passwords were changed in the server and differ from the passwords + * that are currently stored in old sessions of the local database. + */ + $atmail->getAuthObj()->destroy_session(); + $atmail->end(); }
--- End Message ---
--- Begin Message ---Source: atmailopen Source-Version: 1.03+dfsg+svn93-5 We believe that the bug you reported is fixed in the latest version of atmailopen, which is due to be installed in the Debian FTP archive: atmailopen_1.03+dfsg+svn93-5.diff.gz to pool/main/a/atmailopen/atmailopen_1.03+dfsg+svn93-5.diff.gz atmailopen_1.03+dfsg+svn93-5.dsc to pool/main/a/atmailopen/atmailopen_1.03+dfsg+svn93-5.dsc atmailopen_1.03+dfsg+svn93-5_all.deb to pool/main/a/atmailopen/atmailopen_1.03+dfsg+svn93-5_all.deb A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 527...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Giuseppe Iuculano <giuse...@iuculano.it> (supplier of updated atmailopen package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Format: 1.8 Date: Sat, 16 May 2009 10:23:08 +0200 Source: atmailopen Binary: atmailopen Architecture: source all Version: 1.03+dfsg+svn93-5 Distribution: unstable Urgency: low Maintainer: Giuseppe Iuculano <giuse...@iuculano.it> Changed-By: Giuseppe Iuculano <giuse...@iuculano.it> Description: atmailopen - elegant and intuitive ajax webmail client Closes: 527392 527394 527597 Changes: atmailopen (1.03+dfsg+svn93-5) unstable; urgency=low . * [6a3e411] debian/patches/03_hide_domain_on_login.patch: If $mailserver_auth is set to 0, hide domain in the login form. (Closes: #527392) * [7e64739] debian/patches/04_smtp_auth.patch: Patch to authenticate in SMTP using the username and password of the authenticated user. Thanks to Arthur Furlan. (Closes: #527394) * [ca83c1e] debian/patches/05_destroy_session.patch: destroy sessions when user logout, and cleanup old sessions everrytime he accesses to log in page. Thanks to Arthur Furlan (Closes: #527597) Checksums-Sha1: 61d1b986e345cad31ba6662341010512c01f429c 1275 atmailopen_1.03+dfsg+svn93-5.dsc 67863c79e22fe5bf7ddb6cba71c295ffbccd3e60 28127 atmailopen_1.03+dfsg+svn93-5.diff.gz a10609937d6c9a02afa1b53575cfcd5ac38e6f41 1648568 atmailopen_1.03+dfsg+svn93-5_all.deb Checksums-Sha256: 0778d62ee1af03223639b0cd2fcec972cf30d86089d01443d3796b0a0fb517a5 1275 atmailopen_1.03+dfsg+svn93-5.dsc 252a4aa3c499cb2b4755d03e3399810130ed91decd80474f5acfaee4c3c64eb0 28127 atmailopen_1.03+dfsg+svn93-5.diff.gz 25e54e492d6b956d0ec28019562ff1ecc20c911b10c94e57c6bf2d39a407ac8a 1648568 atmailopen_1.03+dfsg+svn93-5_all.deb Files: 9b91d64c67bf2e36f62564a75b1257b6 1275 web optional atmailopen_1.03+dfsg+svn93-5.dsc 5b1f3bde1d025cbc0870ff8857257681 28127 web optional atmailopen_1.03+dfsg+svn93-5.diff.gz 7c934b5ceec7fad2994819484364d1dc 1648568 web optional atmailopen_1.03+dfsg+svn93-5_all.deb -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAkoOeX4ACgkQNxpp46476aoslwCePPOUa3l83pu0y+HagWaVP2vL Z3MAn0yfYsQtIGECVaweZXFrYDjUN/Rx =itJL -----END PGP SIGNATURE-----
--- End Message ---
